The second incident pertained to Netgear and Cisco modems that Optus had deployed to 197,000 and 110,000 customers, respectively, since 2008. In order to administer the cable modems remotely, the company deliberately chose not to change the devices’ manufacturer passwords. This left hundreds of thousands of customers vulnerable to fraudulent calls by third parties.

Optus did not discover the flaw until April 2014, at which point it closed off the vulnerability.

“I appreciate the positive way in which Optus worked with our Office to address these incidents. I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act.”